As more and more organizations are migrating their infrastructures and services to the cloud, we are witnessing a substantial shift in the approach to security and risk management. In the early years of the cloud adoption revolution, the concept that data on the public cloud would be less secure than in house was one of the main concerns for organizations looking to migrate. But is that really true and what is the right approach to cloud security?
This perception of increased risk is mainly due to the fear that having data stored on servers and systems outside the organization will also reduce the control over it. But actually, from a technical standpoint, the physical location of the data is definitely less important than the means used to access it. In fact, if we analyze how data is made accessible to users, a secure and encrypted cloud solution will be better than most of the average on-premises implementations for small and medium businesses. This is true because the cloud licensing model allows even a small organization to access enterprise-level solutions and cloud security that would otherwise be on a prohibitive budget range.
A New Approach to Security
If conceptually the cloud should be more secure, why are there still reports of growth in data breaches and security incidents in cloud environments? The answer is simple: the root cause of these problems is not the technology itself but the misuse of it security-wise.
The most important factor to consider when analyzing cloud adoption from a security standpoint is that we have to take a totally different approach than before. Security is no longer based on perimeter protection and isolation but is now based on policy enforcement and compliance.
The standard approach to security in an on-premises environment is largely based on an endless race to have software that is up to date and breach proof. This, of course, drives the need for new hardware, new technology, and, again, new software that needs to always be updated. All of this is not relevant in a cloud environment, where it’s the cloud provider’s responsibility to manage the updates of hardware and software, allowing us to focus on just accessing the service and exchanging data.
This sudden shift in focus means that most of the traditional security tools used in on-premises infrastructures are becoming less and less effective when applied to a cloud environment. And if an organization migrates its services to the cloud without taking the proper steps in adapting to this new model, it will find itself trying to use the wrong tools, increasing the likelihood of incurring risk through security breaches.
The past two years’ Cloud Security Reports have revealed that the top causes of security incidents are:
- Misconfiguration of cloud platforms;
- Unauthorized access through misuse of employee credentials;
- Improper access controls; and
- Insecure interfaces set to communicate with the cloud.
All of these have one thing in common: the fact that they’re not inherently dependent on the cloud environment itself, but are all caused by the misuse and misconfiguration on the organization’s side.
The biggest takeaway from these findings is that cloud solutions should not be sold as out-of-the-box packages but that they require proper analysis, expertise, and configuration.
The cloud service provider will secure the environment where your data and services are hosted and will give all the proper tools to securely connect to it. But it’s still your organization’s responsibility to use these tools and the means to access the data in a secure way. This model is that of shared responsibility. Each party involved, the cloud provider and the cloud user, is accountable for different aspects of security.
For example, when we deploy a cloud infrastructure with email services, data storage, web services, and database servers, the cloud provider will be responsible for securing all the back-end. We will never have to worry if the servers on which our services are running are updated with the latest patches, are running the latest operating system, or are protected by the best firewalls.
On the other hand, we will still be responsible for the configuration of the access and interaction with those services. So, just to give some examples, even if your data resides on a very secure and updated environment, you will still have unwanted access if your users’ passwords are not secure, if you leave open and uncontrolled access to virtual networks, or if you’re synchronizing data without encryption.
In other words, we will still have the full responsibility to set the proper policies to access and govern our data in the cloud.
Always Be Learning
Taking this shared responsibility model into consideration, what would then be the best way to tackle the security problem? What has proven to be the most successful approach to cloud security is up-to-date training of IT staff, as well as working with specialized professionals who can apply best practices and use the proper tools to guarantee better security.
Currently, approximately 40% of organizations that adopted cloud services are using a hybrid deployment strategy, and one of the main factors slowing down a full cloud adoption is a lack of qualified staff or expertise. This, of course, applies to the security aspect, too.
We’ve already discussed how this is a true shift in how security is handled compared to the past. And with this new approach comes the introduction of new technologies, new solutions, and new ways to use them. Now more than ever, it’s important to work with professionals that have an understanding of this new technology model.
To do this, when preparing to a cloud migration project, it’s very important to reserve a budget for security and use a good part of it for training or to hire properly trained professionals. In the past, we would have used this budget to buy new firewalls and to have a professional configure them, so it really isn’t an extra cost—we’re just redirecting this budget to learn how to use all the tools such as data governance, access management, and encryption that are built into all of the modern solutions offered by cloud providers.
The Future of Business: Adopting the Cloud
In order to have a better understanding of cloud security, you need to know how this new model is applied in practice, as well as be able to set consistent policies based on the needs of your organization.
The growing interest in serverless and FaaS (function as a service) cloud-native applications shows us that this trend is here to stay and that we’re moving towards a full cloud environment where this security model will be king.
So, at this point in the technology evolution process, the proper question to ask yourself is not whether the cloud is secure enough. Rather, it’s whether you know enough about the cloud to fully realize its potential.